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What is Ransomware? 

Why is Ransomware Harmful? 

Best Practices You Can Implement to 
Avoid Ransomware Attacks 
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About Tokio Marine HCC 
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Part of Tokio Marine, a premier global company Underwrites over 


Tokio Marine 100 
HCC 1879 33 billion of specialty insurance 


1 8 DIFFERENT BUSINESS UNITS 


Highly rated insurance A.M. S&P Global Fitch 
company achieving Best Ratings Ratings 


SUPERIOR STRONG VERY STRONG 


“Figures as of 03/31/2021 


Company confidential — Not for distribution 
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Tokio Marine HCC — Cyber & Professional Lines WW 
Group 


Tokio Marine HCC — CPLG is the marketing name used to describe the 


cyber and professional lines related insurance operations of Tokio Marine 
HCC 


SACRAMENTO 
& CONCORD, CA 


¢ Formed in April 2019 
¢ Provides unique specialty insurance solutions 
¢ Product lines include: 

Tech & Cyber 

Professional Liability 

Reinsurance & Programs 


Over $1 50 million in Annual Cyber Premium 


ATLANTA, GA 


Over 2,200 cyber matters handled per year 
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Cyber Landscape 


Ripped from the Headlines 


Ryuk ransomware responsible 
for one third of all ransomware 


attacks in 2020 —_ 


» * 


WannaCry: Massive ransomware 
infection hits computers 
in 99 countries 


Hackers breached Colonial Pipeline 
using compromised password 


Blackbaud ransomweare attack 
may have impacted millions 
of individuals 


| ‘Payment sent’ travel giant 
CWT pays $4.5M ransom to 
cyber criminals 
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Catholic Mutual Ransomware Claims Statistics WW 


Contract Year 7/1/2018 7/1/2019 7/1/2020 2021 (YTD) Total 


GUISE RSME 5 13 16 { 35 

Claims 

Closed 5 13 vA @) 25 
0 9 { 10 


Total Paid $162,965 $1,000,484 $922,774 $16,151 $2,103,374 


Average Paid $32,593 $76,960 $57,673 $16,151 $60,068 
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Ransomware Scenario 
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An employee opened a link in an email, that appeared to 
be sent by another employee of the firm, but it was actually 
sent by a hacker. 


The link contained a ransomware virus that, when opened, 
immediately began to encrypt all files on the employee’s 
computer, including the finance and payroll files. 


The virus was discovered when the employee tried to 
access a file, and an alert appeared on the screen, 
notifying that all files had been encrypted and could only be 
unlocked if a ‘ransom’ was paid in BitCoin. 


Examples of Ransomware messages 
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All your important files are encrypted. 


Support 
Message Center 
ty we — — file here 


ervice once for FREE 
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WARNING 
We have encrypt your files with CryptoLocker virus 


Yow erg Leet flies (eeckading Dene ce the eeteorh Gra.) Ui et) photos vihews Gecureet ok were 
emerypent OD Crypt acter vir. The oy may te get you fies tad fh to bey oe Grcryptin seftewe 


Comtian: Seemewing of Cryptet ocher @ff net restore access to your encrypted fies The only may te save your 
fies te bey 2 Geuryptiee tetteare Otewne your fies o@ be bot 


Our website should also be accessible from one of these links: 
Se eee a Se ter Oe et be ot”) eed 
blip. ertieetepgac fi Gree i er rg. ey gg Le 
DO er tee ep al he. tor Det og Bay ote’! ) ed 
Dew . © tenet rege Seu. ari. Wat. Ig sea! | r 


Frequently Asked Questions 


TOKIO MARINE 


NOT YOUR LANGUAGE? USE https://translate.google.com 


What happened to your files ? 
All of your files were protected by a strong encryption with RSA4096 i 
More information about the encryption keys using RSA4096 can be found here: http: / /en.wikipedia.org/wiki/RSA_(cryptosystem) 
How did this happen ? 

It! Specially for your PC was generated personal RSA4096 Key , both public and private. 

i! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. 

it! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server 
What do Ido? 


So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way 
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment 


Your personal ID:°6 | 782630505 


For more specific instructions, please visit your personal home page, there are a S" different addresses pointing to your page below: 


1 - http://hn5fbbc4pyz7 7xfa.onion.to 
2- http:/ /hnSfbbc4pyz77xfa.onion.cab 
3 - http: //hnSfbbc4pyz/7xfa.onion.cty 


If for some reasons the addresses are not available, follow these steps: 


1 - Download and install tor-browser: http:/ /www.torproject.org/projects/torbrowser.html.en 
2 - After a successful installation, run the browser 


3 - Type in the address bar - http:/ /hn5fbbc4pyz77xfa.onion 
4 ~ Follow the instructions on the site 


Be sure to copy your personal ID and the instruction link to your notepad not to lose them. 
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OFAC Advisory on Ransomware WW 


* October 2020: The Office of Foreign Assets Control (OFAC) issued an advisory of 
sanctions risks associated with ransomware payments, related to malicious cyber- 
enable activities. OFAC has designated numerous malicious cyber actors, under its 
cyber-related sanctions program and other sanctions programs, including 
perpetrators of ransomware attacks and those who facilitate ransomware 
transactions. 


¢ September 2021: OFAC issues an updated advisory OFAC urging companies that 
engage with victims of ransomware attacks (i.e., cyber insurers, digital forensics and 
incident response firms and financial institutions) to implement sanctions compliance 
programs that account for the risk that a ransomware payment may involve a 
Specially Designated Nationals and Blocked Persons List (“SDN List”). 


TMHCC claims team always has OFAC clearance before approving ransom 
reimbursements. 
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Why is Ransomware Harmful’? WW 


> Information is extremely valuable as organizations cannot function without 
access to their files. 


> Ransomwere is low risk for criminals, as they request their ransom to be paid 
in Bitcoin, so they remain completely anonymous. 


> Once downloaded into a victim’s computer, it can spread to all connected 
devices. 


> Ransomwere is used to steal data and/or move laterally within a corporate 
network to perform reconnaissance. 


> All organizations are potential victims and might have to pay the ransom to 
regain access to their data. 


\Y TOKIO MARINE 
\ HCC 


— 


| 
ss &__]==p Risk Management 
—e 


TOKIO MARINE 
HCC 


CYBER RISK MANAGEMENT 


Get Advice Report a Breac 


— to TMHCC cyberNET and Catnoiic Mutual 
° 24/7 access to CyberNET risk management website oer 
provides your Insureds with vital information, training, 
and support to prepare for, defend against, and respond 


to a cyber incident. 


Home 


YOUR TOP CYBER THREATS 


i 
e Best Practices Guidelines - 

Risk Assessments and Fitness Checklists Rénsomnnere Email’Eratid 
e Incident Response Planning 
. Online Training Courses ay na —— you get your data Me A dea pb salar asa re transferred 
‘Sample Policies/ Procedures 


NEW ATTACKS TOP SOLUTIONS 


TWO-FACTOR 
AUTHENTICATION 
tio 


nal protection to reduce 


AOCIHIONG 
DUSINESS € 


mail compromise and > 
ransomware damages 


OFFLINE BACKUPS 
Backups p 


Ups protect against 
amaqges 


ransomware Gamag 


US Authorities Arrest REVil Ransomware Operator NEXT GEN ANTI-VIRUS ; 


Top 8 Ways to Beat Ransomware 


Train Employees 

RDP & Access Control 

Install Software Patches 

Create Offline Backups 

Implement Multi-factor Authentication (MFA) 
Install & Update “Next-Gent’ Antivirus 

Email Security Settings 

Endpoint Security 
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Claims Handling 


Claims Handling 
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Just like a normal claim, Members report 
claims directly to Catholic Mutual. 


Claims are forwarded to TMHCC 
Single Point of Contact 
Logical Procedural Steps 


Consistent communication and 
coordination with Catholic Mutual 
policyholders 
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Questions? 
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Susan Doucette 


sdoucette@tmhcc.com 


Thi presentation may contain copyrighted materials the use of which has not always been specifically authorized by the copyright owner. Whenever possible we include the name of the author or owner of the copyrighted material and give them fullreco gnition, including the hypertext or link to the internet site of the source of such information. We are making the 
information available for education, news reporting, r esearch, teaching and discussion purposes and to advance awareness and understanding of issues relating to personally identifiable infor mation and associated risks. We believe this constitutes ‘fair use’ of any such copyrighted material as provided for under the Fair Use exemptions of Title 17 U.S.C. Section 107 of 


the U.S. Copyright Law. Further use is prohibited. If you wish to use copyrighted material from this presentation for purposes of your own that go beyond ‘fair use’, you must obtain permission from the copyright owner. All materials that are the product of Tokio Marine HCC are copyrighted and/or trademarked and all rights are reserved. 
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Learn more about Tokio Marine HCC: 
www.tmhcc.com 
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DATA SOURCES by SLIDE — Cyber Liability Coverage WW 


Ripped from the Headlines: 
Colonial Pipeline- Bloomberg.com: https :/Awww.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password 


Blackbaud- 
Benefitspro.com- https://www.benefits pro.com/2020/10/12/blackb aud-ransomware-attack-may-have-impacted-millions-of-individuals/?slreturn=20220011161218 


Identity Theft Resource Center- https://www.idtheftcenter.org/post/blackbaud-data-breach-leaves-lasting-impact-on-u-s-and-international-nonprofits/ 


CWT- Reuters.com- https ://www.reuters .com/article/us-cyber-cwt-ransom/payment-sent-travel-giant-cwt-pays-4-5-million-ransom-to-cyber-criminals-id USKC N24W 25W 


Ryuk- Securitymagazine.com- https :/Awww.securitymagazine.com/articles/93769-ryuk-ransomware-responsible-for- one-third-of-all-ransomware-attacks-in-2020 
Zdnet.com- https:/Awww.zdnet.com/article/ryuk-gang-estimated-to-have-made-more-than-150-million-from-ransomware-attacks/ 


WannaCry- BBC News- hittos://www.bbc.com/news/technology-39901382 


“White House Holds Global Ransomware Meeting”- posted on TMHCC cyberNET and Catholic Mutual Group risk management website October 18, 2021 


Risk Scenario Slides 


These risk/claim scenarios are provided here for illustrative purposes only. The scenarios are examples of the types of claims and associated costs commonly seen and do not represent a comprehensive 
explanation of any one particular claim. While the subject coverage is designed to address certain risks and associated costs, coverage may not be available in all circumstances. Each reported claim will be 
evaluated on a case-by-case basis. The actual policy or endorsement language should be referenced to determine coverage applicability and availability. 


https ://www.__cyber-map/threat-map-old.html 


